yaraMail
Yara Scanner For IMAP Feeds and saved Streams
Stars
27
Ecosystems:
Python
yaraMail
Yara Scanner For IMAP Feeds and saved Streams
###What it does:
- reads an smtp formated email file or connects to IMAP / POP server
- reads emails and extracts attatchments. writes them to your os tmp dir
- If emails contains a zip file it extracts all the files and scans them
- Scans attatchemtns with chosen yara rule file.
- Writes the results to a Report File
- deletes the tmp dir created.
###Usage
- IMAP Feed
python yaraMail.py -e -o sampleReport.txt -i -u [email protected] -p password -f inbox sample.yar imap.gmail.com - POP Feed
python yaraMail.py -e -o sampleReport.txt -w -u [email protected] -p password sample.yar pop3.live.com - From File
python yaraMail.py -e -o sampleReport.txt sample.yar SampleMail.txt
###Reports
Here is an example of the report print out
From: Kevin Breen [email protected] Subject: Subject Line Att Name: Name of attatch.ext Matched Rules: Rule_Name1 Rule_Name2
###Misc The Attachement extract also extracts any Body to the EMail in either text/plain or text/HTML format -The text body of the email is typically named as part-001.ksh (this is what python mime guesses the ext as) -The HTML Body of the text is typically named as part-002.html
###ToDo
-Add verbose output